Prevent registry operations against disabled namespaces

Allows admins to completely wall off a namespace by disabling it

Fixes https://jira.coreos.com/browse/QUAY-869

endpoints/v1/index.py

@@ -30,6 +30,16 @@ class GrantType(object):
   WRITE_REPOSITORY = 'write'
 
 
+def ensure_namespace_enabled(f):
+  @wraps(f)
+  def wrapper(namespace_name, repo_name, *args, **kwargs):
+    if not model.is_namespace_enabled(namespace_name):
+      abort(400, message='Namespace is disabled. Please contact your system administrator.')
+
+    return f(namespace_name, repo_name, *args, **kwargs)
+  return wrapper
+
+
 def generate_headers(scope=GrantType.READ_REPOSITORY, add_grant_for_status=None):
   def decorator_method(f):
     @wraps(f)
@@ -149,6 +159,7 @@ def update_user(username):
 @v1_bp.route('/repositories/<repopath:repository>/', methods=['PUT'])
 @process_auth
 @parse_repository_name()
+@ensure_namespace_enabled
 @generate_headers(scope=GrantType.WRITE_REPOSITORY, add_grant_for_status=201)
 @anon_allowed
 def create_repository(namespace_name, repo_name):
@@ -205,6 +216,7 @@ def create_repository(namespace_name, repo_name):
 @v1_bp.route('/repositories/<repopath:repository>/images', methods=['PUT'])
 @process_auth
 @parse_repository_name()
+@ensure_namespace_enabled
 @generate_headers(scope=GrantType.WRITE_REPOSITORY)
 @anon_allowed
 def update_images(namespace_name, repo_name):
@@ -238,6 +250,7 @@ def update_images(namespace_name, repo_name):
 @v1_bp.route('/repositories/<repopath:repository>/images', methods=['GET'])
 @process_auth
 @parse_repository_name()
+@ensure_namespace_enabled
 @generate_headers(scope=GrantType.READ_REPOSITORY)
 @anon_protect
 def get_repository_images(namespace_name, repo_name):
@@ -268,6 +281,7 @@ def get_repository_images(namespace_name, repo_name):
 @v1_bp.route('/repositories/<repopath:repository>/images', methods=['DELETE'])
 @process_auth
 @parse_repository_name()
+@ensure_namespace_enabled
 @generate_headers(scope=GrantType.WRITE_REPOSITORY)
 @anon_allowed
 def delete_repository_images(namespace_name, repo_name):
@@ -276,6 +290,7 @@ def delete_repository_images(namespace_name, repo_name):
 
 @v1_bp.route('/repositories/<repopath:repository>/auth', methods=['PUT'])
 @parse_repository_name()
+@ensure_namespace_enabled
 @anon_allowed
 def put_repository_auth(namespace_name, repo_name):
   abort(501, 'Not Implemented', issue='not-implemented')

endpoints/v1/models_interface.py

@@ -203,3 +203,8 @@ class DockerRegistryV1DataInterface(object):
     Returns a sorted list of repositories matching the given search term.
     """
     pass
+
+  @abstractmethod
+  def is_namespace_enabled(self, namespace_name):
+    """ Returns whether the given namespace exists and is enabled. """
+    pass

endpoints/v1/models_pre_oci.py

@@ -163,6 +163,10 @@ class PreOCIModel(DockerRegistryV1DataInterface):
       search_term, filter_username=filter_username, offset=offset, limit=limit)
     return [_repository_for_repo(repo) for repo in repos]
 
+  def is_namespace_enabled(self, namespace_name):
+    namespace = model.user.get_namespace_user(namespace_name)
+    return namespace is not None and namespace.enabled
+
 
 def _repository_for_repo(repo):
   """ Returns a Repository object representing the Pre-OCI data model instance of a repository. """

endpoints/v1/registry.py

@@ -15,6 +15,7 @@ from data import model, database
 from digest import checksums
 from endpoints.v1 import v1_bp
 from endpoints.v1.models_pre_oci import pre_oci_model as model
+from endpoints.v1.index import ensure_namespace_enabled
 from endpoints.decorators import anon_protect
 from util.http import abort, exact_abort
 from util.registry.filelike import SocketReader
@@ -75,6 +76,7 @@ def set_cache_headers(f):
 @v1_bp.route('/images/<image_id>/layer', methods=['HEAD'])
 @process_auth
 @extract_namespace_repo_from_session
+@ensure_namespace_enabled
 @require_completion
 @set_cache_headers
 @anon_protect
@@ -112,6 +114,7 @@ def head_image_layer(namespace, repository, image_id, headers):
 @v1_bp.route('/images/<image_id>/layer', methods=['GET'])
 @process_auth
 @extract_namespace_repo_from_session
+@ensure_namespace_enabled
 @require_completion
 @set_cache_headers
 @anon_protect
@@ -151,6 +154,7 @@ def get_image_layer(namespace, repository, image_id, headers):
 @v1_bp.route('/images/<image_id>/layer', methods=['PUT'])
 @process_auth
 @extract_namespace_repo_from_session
+@ensure_namespace_enabled
 @anon_protect
 def put_image_layer(namespace, repository, image_id):
   logger.debug('Checking repo permissions')
@@ -259,6 +263,7 @@ def put_image_layer(namespace, repository, image_id):
 @v1_bp.route('/images/<image_id>/checksum', methods=['PUT'])
 @process_auth
 @extract_namespace_repo_from_session
+@ensure_namespace_enabled
 @anon_protect
 def put_image_checksum(namespace, repository, image_id):
   logger.debug('Checking repo permissions')
@@ -331,6 +336,7 @@ def put_image_checksum(namespace, repository, image_id):
 @v1_bp.route('/images/<image_id>/json', methods=['GET'])
 @process_auth
 @extract_namespace_repo_from_session
+@ensure_namespace_enabled
 @require_completion
 @set_cache_headers
 @anon_protect
@@ -365,6 +371,7 @@ def get_image_json(namespace, repository, image_id, headers):
 @v1_bp.route('/images/<image_id>/ancestry', methods=['GET'])
 @process_auth
 @extract_namespace_repo_from_session
+@ensure_namespace_enabled
 @require_completion
 @set_cache_headers
 @anon_protect
@@ -392,6 +399,7 @@ def get_image_ancestry(namespace, repository, image_id, headers):
 @v1_bp.route('/images/<image_id>/json', methods=['PUT'])
 @process_auth
 @extract_namespace_repo_from_session
+@ensure_namespace_enabled
 @anon_protect
 def put_image_json(namespace, repository, image_id):
   logger.debug('Checking repo permissions')